Difference between revisions of "Fail2ban"

Line 9: Line 9:
  
  
=Configuration=
+
=Fail2ban Configuration=
  
Edit the configuration file
+
<syntaxhighlight lang="bash">
 +
vim /etc/fail2ban/fail2ban.conf
 +
</syntaxhighlight>
 +
 
 +
 
 +
You can:
 +
* Adjust the log file - default is: /var/log/fail2ban.log
 +
* Adjust the log level
 +
 
 +
 
 +
==Restart | check fail2ban==
 +
 
 +
Fail2ban is registered as a service by default.
 +
 
 +
<syntaxhighlight lang="bash">
 +
service fail2ban restart
 +
</syntaxhighlight>
 +
 
 +
 
 +
You can check the log in the dedicated log file:
 +
 
 +
<syntaxhighlight lang="bash">
 +
cat /var/log/fail2ban.conf
 +
</syntaxhighlight>
 +
 
 +
 
 +
 
 +
 
 +
 
 +
=Ban rules=
 +
 
 +
Edit the ban configuration rule:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
vim /etc/fail2ban/jail.conf
 
vim /etc/fail2ban/jail.conf
 
</syntaxhighlight>
 
</syntaxhighlight>
 
  
 
==Default (generic) properties==
 
==Default (generic) properties==

Revision as of 17:15, 7 June 2014


Installation

apt-get install fail2ban


Fail2ban Configuration

vim /etc/fail2ban/fail2ban.conf


You can:

  • Adjust the log file - default is: /var/log/fail2ban.log
  • Adjust the log level


Restart | check fail2ban

Fail2ban is registered as a service by default.

service fail2ban restart


You can check the log in the dedicated log file:

cat /var/log/fail2ban.conf



Ban rules

Edit the ban configuration rule:

vim /etc/fail2ban/jail.conf

Default (generic) properties

 
[DEFAULT]
ignoreip = 127.0.0.1/8 172.16.50.0/24
...
# "bantime" is the number of seconds that a host is banned.
# default 600s ; 86400 = 24h
bantime  = 86400

# Increase max attempt time 'cause lots of scanner are using the default time + 1s.
# default 600
findtime=3600


  • In "ignoreip" add your LAN + VPN networks
  • Adjust "bantime" and "findtime"


SSH configuration

Enable and adjust:

  • SSH
  • SSH-DDOS
  • SSH-iptables-*
 
[ssh]
enabled  = true
port     = ssh,2200
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 4

...

[ssh-ddos]
enabled  = true
port     = ssh,2200
filter   = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 4

...

[ssh-iptables-ipset4]
enabled  = true
port     = ssh,2200
filter   = sshd
banaction = iptables-ipset-proto4
#logpath  = /var/log/sshd.log
logpath  = /var/log/auth.log
maxretry = 4

...

[ssh-iptables-ipset6]
enabled  = true
port     = ssh,2200
filter   = sshd
banaction = iptables-ipset-proto6
#logpath  = /var/log/sshd.log
logpath  = /var/log/auth.log
maxretry = 4


- Note -

  • You can use multi-port filtering with port=X,Y
  • For IpTables rules you have to adjust the logpath